Disable internet access via command line

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

threemonks

Occasional Visitor
@ColinTaylor Should /jffs/scripts/firewall-start be triggered by firewall start? I edited this file with the following contents
#!/bin/sh
iptables -I FORWARD -m time --timestart 00:30 --timestop 06:00 --kerneltz -o $(nvram get wan0_ifname) -j REJECT
then issued this command
service start_firewall
But the rule is not showing up in the output of
iptables-save | grep time
. Or iptables-save only show rules that are currently in effect (thus not showing when it is outside of the time window specified)?

It seems to me using -i br0 would result me being blocked from accessing the router as well in the event when the firewall rules are in effect and I need to make some change or debug something?
 

ColinTaylor

Part of the Furniture
Try service restart_firewall instead.

If it still doesn't show anything do the following:
Code:
chmod 777 /jffs/scripts/firewall-start
dos2unix /jffs/scripts/firewall-start

It seems to me using -i br0 would result me being blocked from accessing the router as well in the event when the firewall rules are in effect and I need to make some change or debug something?
No that's not the case.
 
Last edited:

threemonks

Occasional Visitor
service restart_firewall
does make this specific iptables rule show up in the firewall rules output. Here is the output (omitted more similar rows for different days and mac addresses):
-A PCREDIRECT -i br0 -m time --timestart 07:00:00 --timestop 23:59:59 --weekdays Thu --kerneltz -m mac --mac-source XX:XX:XX:XX:XX:XX -j ACCEPT
-A PCREDIRECT -i br0 -m time --timestart 07:00:00 --timestop 23:59:59 --weekdays Fri --kerneltz -m mac --mac-source XX:XX:XX:XX:XX:XX -j ACCEPT
-A PCREDIRECT -i br0 -m time --timestart 07:00:00 --timestop 23:59:59 --weekdays Sat --kerneltz -m mac --mac-source XX:XX:XX:XX:XX:XX -j ACCEPT
-A FORWARD -o eth0 -m time --timestart 00:30:00 --timestop 06:00:00 --kerneltz -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i br0 -m time --timestart 07:00:00 --timestop 23:59:59 --weekdays Sun --kerneltz -m mac --mac-source XX:XX:XX:XX:XX:XX -j PControls
-A FORWARD -i br0 -m time --timestart 07:00:00 --timestop 23:59:59 --weekdays Mon --kerneltz -m mac --mac-source XX:XX:XX:XX:XX:XX -j PControls
-A FORWARD -i br0 -m time --timestart 07:00:00 --timestop 23:59:59 --weekdays Tue --kerneltz -m mac --mac-source XX:XX:XX:XX:XX:XX -j PControls
So the service-start script does make this rule into the firewall list. Still need to figure out why it continues to block internet even after the timestop time.
 

ColinTaylor

Part of the Furniture
does make this specific iptables rule show up in the firewall rules output. Here is the output (omitted more similar rows for different days and mac addresses):

So the service-start script does make this rule into the firewall list. Still need to figure out why it continues to block internet even after the timestop time.
OK I didn't know you were also using parental controls and time based blocking. There's likely to be some sort of conflict there. I'd have to see the complete unedited output of iptables-save to offer any more suggestions as my firmware is different from yours.
 

threemonks

Occasional Visitor
Parent control was not quite effective as it can be worked around by mac address spoofing. Would it simplify the issue if I don't use parental control?
@ColinTaylor I will PM you the unedited complete iptables-save output. Would appreciate if you can help take a look.
 

ColinTaylor

Part of the Furniture
Parent control was not quite effective as it can be worked around by mac address spoofing. Would it simplify the issue if I don't use parental control?
It would definitely be worth trying without parental controls enabled.
 

threemonks

Occasional Visitor
It turns out that it works as expected after turning off parental control and keyword filtering. It would be interesting and helpful to understand how does parental control and keyword filtering interfering with the script configured iptables rule for blocking WAN access for a specified time period.
 

threemonks

Occasional Visitor
I tried turn on keyword and URL filtering, it seems works fine with my internet blocking rule specified via /jffs/scripts/firewall-start. So it is really just the parental control rule that is interfering with this customized internet blocking firewall rule.
 

ColinTaylor

Part of the Furniture
I tried turn on keyword and URL filtering, it seems works fine with my internet blocking rule specified via /jffs/scripts/firewall-start. So it is really just the parental control rule that is interfering with this customized internet blocking firewall rule.
As far as I can see any parental control restrictions would be applied after your custom script rule.

So in your example from post #24, you were blocking traffic from all devices between 00:30 and 06:00. Additionally, traffic from the specified devices was also blocked between 00:00 and 07:00 (which of course includes 00:30 and 06:00).
 

Similar threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top